Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters

Authors

  • Vedad Hadžic Graz University of Technology, Graz, Austria
  • Roderick Bloem Graz University of Technology, Graz, Austria

DOI:

https://doi.org/10.46586/tches.v2025.i1.656-683

Keywords:

AES, Masking, PINI, Low-latency, Mask Reuse

Abstract

Hardware implementations of cryptographic algorithms are susceptible to power analysis attacks, allowing attackers to break the otherwise strong security guarantees. A theoretically sound countermeasure against such attacks is masking, where all key- and data-dependent intermediate values in the computation are split into so-called shares, requiring an attacker to learn all of them before recovering the secret key. Masking a cryptographic hardware design against power analysis attacks incurs large area and latency overheads due to their nonlinear components, especially when implemented using composable masking schemes.
These overheads disproportionately affect ciphers with highly nonlinear monolithic S-Boxes like the Advanced Encryption Standard (AES). The masking of the AES S-Box is well studied, and most implementations use Canright’s F28 inverter design that decomposes operations in a larger field into a combination of multiplications, additions and inversions in a smaller field. While remarkable, Canright’s inverter design has a sub-optimal multiplicative depth, and can thus not take full advantage of recent developments in low-latency composable masking schemes.
In this paper, we present a F28 inverter that achieves the optimal multiplicative depth of three, and use it to construct a more efficient trivially composable masked implementation of the AES S-Box. Moreover, we present HPC3.1, a better low-latency multiplication gadget that works in all finite fields Fpn, and a randomness reuse strategy for both HPC1 and HPC3.1 gadgets that preserves side-channel security. Orthogonally, we also propose an improved bit-level implementation of the F24 inverter for more efficient masked S-Box designs based on Canright’s original F28 inverter.
We develop, functionally test, and formally verify the trivially composable side-channel security of all masked AES S-Box designs. Our evaluation shows that the designs outperform or match the state-of-the-art in terms of latency, randomness use and area cost.

Downloads

Published

2024-12-09

Issue

Section

Articles

How to Cite

Hadžic, V., & Bloem, R. (2024). Efficient and Composable Masked AES S-Box Designs Using Optimized Inverters. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(1), 656-683. https://doi.org/10.46586/tches.v2025.i1.656-683